CVSS: 4.3EPSS: 0%CPEs: 58EXPL: 2CVE-2009-3444 – e107 0.7.16 - Referer header Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-3444
Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header in a news.1 (aka news to email) action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en email.php en e107 v0.7.16 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de la cabecera HTTP Referer en una acción news.1 (también conocida como noticias (news) a correo (email). • https://www.exploit-db.com/exploits/9825 http://osvdb.org/58363 http://secunia.com/advisories/36832 http://websecurity.com.ua/3528 http://www.securityfocus.com/archive/1/506704/100/0/threaded http://www.securityfocus.com/bid/36517 http://www.securitytracker.com/id?1022947 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 1%CPEs: 68EXPL: 1CVE-2009-1409 – e107 < 0.7.15 - 'extended_user_fields' Blind SQL Injection
https://notcve.org/view.php?id=CVE-2009-1409
SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320. Una vulnerabilidad de inyección de SQL en usersettings.php en e107 v0.7.15 y anteriores, cuando la opción "Campos de usuario extendidos" está activado y magic_quotes_gpc está desactivado, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro Hide. Se trata de un vector diferente al de CVE-2005-4224 y CVE-2008-5320. • https://www.exploit-db.com/exploits/8495 http://osvdb.org/53812 http://secunia.com/advisories/34823 http://www.securityfocus.com/bid/34614 https://exchange.xforce.ibmcloud.com/vulnerabilities/49981 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2008-6466 – e107 Plugin Image Gallery 0.9.6.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-6466
SQL injection vulnerability in image_gallery.php in the Akira Powered Image Gallery (image_gallery) plugin 0.9.6.2 for e107 allows remote attackers to execute arbitrary SQL commands via the image parameter in an image-detail action. Una vulnerabilidad de inyección SQL en el archivo image_gallery.php en el plugin Image Gallery (image_gallery) de Akira Powered versión 0.9.6.2 para e107, permite a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro image en una acción image-detail . • https://www.exploit-db.com/exploits/6516 http://secunia.com/advisories/34384 http://www.securityfocus.com/bid/31286 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 3%CPEs: 2EXPL: 5CVE-2008-6438 – e107 Plugin BLOG Engine 2.1.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-6438
SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected. Vulnerabilidad de inyección SQL en macgurublog_menu/macgurublog.php en la extensión (plugin) MacGuru BLOG Engine v2.2 para e107 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "uid", un vector diferente a CVE-2008-2455. • https://www.exploit-db.com/exploits/6856 https://www.exploit-db.com/exploits/5666 https://www.exploit-db.com/exploits/6346 https://www.exploit-db.com/exploits/6158 http://osvdb.org/51408 http://secunia.com/advisories/30212 http://www.securityfocus.com/archive/1/492506/100/0/threaded http://www.securityfocus.com/bid/29344 http://www.vupen.com/english/advisories/2008/2468 https://exchange.xforce.ibmcloud.com/vulnerabilities/42715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2008-6208
https://notcve.org/view.php?id=CVE-2008-6208
Cross-site scripting (XSS) vulnerability in submitnews.php in e107 CMS 0.7.11 allows remote attackers to inject arbitrary web script or HTML via the (1) author_name, (2) itemtitle, and (3) item parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en submitnews.php en e107 CMS v0.7.11 permite a atacantes remotos inyectar web script o HTML de su elección a través de los parámetros (1) author_name, (2) itemtitle, y (3) item. NOTA: la procedencia de esta información es desconocida; los detalles han sido obtenidos solamente a partir de la información de terceros. • http://www.juniper.net/security/auto/vulnerabilities/vuln28982.html http://www.securityfocus.com/bid/28982 https://exchange.xforce.ibmcloud.com/vulnerabilities/42248 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •